The New York Department of State’s Division of Consumer Protection recently implemented an “Identity Theft Prevention and Mitigation Program” and adopted emergency regulations, effective immediately.  According to the Division, the program is intended to “(1) inform consumers about how to protect their personal identifying information; (2) help consumers prevent identity theft, including taking steps to protect their identities once their personal identifying information has been compromised, and (3) help consumers mitigate issues related to the theft of their identities.”

The regulations, a copy of which is available here, establish requirements and procedures to provide consumers with “the means to protect themselves against identity theft and to assure appropriate assistance and complaint resolution mechanisms are in place for the protection and repair of their financial and credit history in the event their personal identifying information has been compromised.”

The regulations apply to any consumer credit reporting agency “that regularly engages in the practice of assembling or evaluating and maintaining, for the purpose of furnishing consumer credit reports to third parties bearing on a consumer’s credit worthiness, credit standing, or credit capacity, public record information and credit account information from persons who furnish that information regularly and in the ordinary course of business.”

Under the regulations, consumer credit reporting agencies are required to comply with any written requests for “documentation and/or records” from the Division of Consumer Protection within ten days.  Section 226.5 envisions that the Division, while acting on behalf of a consumer to “investigate, mediate and/or mitigate an identity theft complaint” may require “substantiating and/or supporting documentation and/or records” from a consumer credit reporting agency.

In addition, under Section 226.6, each consumer credit reporting agency operating within New York state is “required to file with the Department such information as the Division finds necessary to effectively administer the Program.”  Such information includes the following:

(a)   the name of the consumer credit reporting agency;

(b)   the principles and officers of the consumer credit reporting agency;

(c)   the direct contact information for an individual or individuals within the consumer credit reporting agency available to the Division during regular business hours;

(d)   the direct contact information for an individual or individuals within the consumer credit reporting agency available to the Division within 24 hours of a notification of a security breach pursuant to GBL §399-aa(8)(a);

(e)   contact information available to consumers, including the consumer credit reporting agency’s web address, telephone number, and email address;

(f)    a listing of all proprietary products offered by the consumer credit reporting agency to consumers for the prevention or mitigation of identity theft, any and all fees associated with the purchase of or subscription to such products, and the contractual provisions and disclosures in relation to such purchase or subscription, including but not limited to scope of services, liability for negligent or erroneous provision of services, and cancellation requests;

(g)   a listing and description of all business affiliations and contractual relationships with any other entities, where such business affiliations or contractual relationships relate to the provision of any products or services advertised to consumers as products or services available for the prevention or mitigation of identity theft; and

(h)   the consumer credit reporting agency’s D-U-N-S number.

Violations of the regulations can be referred to the Office of the New York Attorney General, the Department of Financial Services, or any other appropriate law enforcement or regulatory entity for action.

Troutman Sanders will continue to monitor related developments concerning the emergency regulations and their applicability to the credit reporting industry.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Cindy D. Hanson Cindy D. Hanson

Consumer finance clients trust Cindy’s experience and skill to resolve their most challenging cases. Focused on class action defense, Cindy has handled numerous FCRA cases and is the point of contact for consumer protection defense.

Read more about Cindy D. HansonCindy's Linkedin Profile
Photo of David M. Gettings David M. Gettings

Dave is a partner of the firm who focuses on defending clients in consumer class actions and complex commercial litigation nationwide, particularly cases involving a variety of federal and state laws and regulations, including the Fair Credit Reporting Act (FCRA), the Telephone Consumer

Dave is a partner of the firm who focuses on defending clients in consumer class actions and complex commercial litigation nationwide, particularly cases involving a variety of federal and state laws and regulations, including the Fair Credit Reporting Act (FCRA), the Telephone Consumer Protection Act (TCPA) and associated FCC regulations, the Fair Debt Collection Practices Act, the Truth in Lending Act, the Electronic Fund Transfer Act, and many similar state consumer protection statutes.

Read more about David M. GettingsDavid M.'s Linkedin Profile
Show more Show less
Photo of Ronald I. Raether, Jr. Ronald I. Raether, Jr.

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application to their business to solve their most important challenges — from implementation and strategy to litigation and incident response. Ron and his team have redefined the boundaries of typical law firm privacy and cyber services in offering a 360 degree approach to tackling information governance issues. Their holistic services include drafting and implementing bespoke privacy programs, program implementation, licensing, financing and M&A transactions, incident response, privacy and cyber litigation, regulatory investigations, and enforcement experience.

Read more about Ronald I. Raether, Jr.Ronald I.'s Linkedin Profile
Show more Show less
Photo of Tim J. St. George Tim J. St. George

Tim defends institutions nationwide facing class actions and individual lawsuits. He has particular experience litigating consumer class actions, including industry-leading expertise in cases arising under the Fair Credit Reporting Act and its state law counterparts, as well as litigation arising from data breaches.

Read more about Tim J. St. GeorgeTim J.'s Linkedin Profile
Related Posts
CreditReporting_949857574
CFPB Continues "Pausing" Litigation: This Time in Medical Debt Rule Litigation
February 7, 2025
CreditReporting_907811408
CFPB Updates List of Consumer Reporting Companies for 2025
February 3, 2025
DebtBuyers_972743674
Seventh Circuit Reverses Summary Judgment in FDCPA Debt Dispute Case
January 30, 2025